Mundy

IT Knowledge Base

User Tools

Site Tools


Sidebar

Contact me at dan@mundy.co for any feedback or suggestions.


My other sites:

Search all my sites:

audit_ntfs_permissions

Audit NTFS Permissions

  1. Call the script like:
    .\Get-PathPermissions.ps1 "D:\Company" "C:\CompanyPermissions.csv"

    Make sure you include the path in the CSV name, or it will return errors

  2. Open the file in Excel, select the IdentityReference column, Data>Filter, then you can filter out system users eg Administrators/System/services-accounts

Note: This script requires PowerShell version 3 or newer, because the -LiteralPath in Get-ACL is not available in previous versions. There's an alternative on the original author's site.




Get-PathPermissions.ps1
# Downloaded from http://it.mundy.co
 
function Get-PathPermissions {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path} )
 
    begin {
    $root = Get-Item $Path
    ($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
    }
    process {
    $containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
    if ($containers -eq $null) {break}
        foreach ($container in $containers)
        {
        (Get-ACL -LiteralPath $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
        }
    }
}
 
function Get-PathPermissions2 {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path}	)
 
begin {
$root = Get-Item -LiteralPath $Path
(Get-Item -LiteralPath $root).GetAccessControl().Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru -Force
}
process {
$containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
if ($containers -eq $null) {break}
foreach ($container in $containers)
{
(Get-Item -LiteralPath $container.fullname).GetAccessControl().Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru -Force
}
}
}
 
echo "Evaluating permissions..."
 
# Set the following to Get-PathPermissions2 if using an older version of PowerShell
Get-PathPermissions $args[0] | Export-CSV $args[1]
$csvfile = $args[1]
 
[io.file]::readalltext("$csvfile").replace("`"None`",`"None`"","`"This folder only`"") | Out-File $csvfile -Encoding ascii –Force
[io.file]::readalltext("$csvfile").replace("`"InheritanceFlags`",`"PropagationFlags`"","`"Applies to`"") | Out-File $csvfile -Encoding ascii –Force
[io.file]::readalltext("$csvfile").replace("`"ContainerInherit, ObjectInherit`",`"None`"","`"This folder, subfolders and files`"") | Out-File $csvfile -Encoding ascii –Force
[io.file]::readalltext("$csvfile").replace("`"None`",`"None`"","`"This folder only`"") | Out-File $csvfile -Encoding ascii –Force
[io.file]::readalltext("$csvfile").replace("`"ContainerInherit, ObjectInherit`",`"InheritOnly`"","`"Subfolders and files only`"") | Out-File $csvfile -Encoding ascii –Force
[io.file]::readalltext("$csvfile").replace("`"ContainerInherit`",`"None`"","`"This folder and subfolders`"") | Out-File $csvfile -Encoding ascii –Force

This script makes the following find/replace operations, to make it a bit more human-readable:

"ContainerInherit, ObjectInherit","None"
This folder, subfolders and files

"None","None"
This folder only

"ContainerInherit, ObjectInherit","InheritOnly"
Subfolders and files only

"ContainerInherit","None"
This folder and subfolders

Version without the find/replace

Call it like this:

.\Get-PathPermissions.ps1 D:\Foldername | Export-CSV Foldername.csv
Document-NTFS-Permissions.ps1
# Downloaded from http://it.mundy.co
 
function Get-PathPermissions {
 
param ( [Parameter(Mandatory=$true)] [System.String]${Path} )
 
    begin {
    $root = Get-Item $Path
    ($root | get-acl).Access | Add-Member -MemberType NoteProperty -Name "Path" -Value $($root.fullname).ToString() -PassThru
    }
    process {
    $containers = Get-ChildItem -path $Path -recurse | ? {$_.psIscontainer -eq $true}
    if ($containers -eq $null) {break}
        foreach ($container in $containers)
        {
        (Get-ACL -LiteralPath $container.fullname).Access | ? { $_.IsInherited -eq $false } | Add-Member -MemberType NoteProperty -Name "Path" -Value $($container.fullname).ToString() -PassThru
        }
    }
}
Get-PathPermissions $args[0]

Audit Changes of Permissions

I haven't tested the following but thought it looked good, capturing for when I need it:

If I needed to track the changes of permissions on a given directory I would enable Group Policy or Local Security Policy to audit access and then use the Get-EventLog cmdlet to parse the Security logs for Events 560, 562.

To audit changes to file permission structure on NTFS, please follow the steps:

1. Define the group policy "Audit object access" to audit the attemps "Success" or "Failure" for the target computer.
a. Open the computer local group policy (gpedit.msc) or Create a GPO link it to the target computer OU. (gpmc.msc).
b. Expand the group policy to [Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy\Audit object access]
c. Double click "Audit object access", tick on the option "Define these policy settings".
d. Select both "Success" and "Failure", click OK.
e. Run "gpudate /force" on the target computer if you choose the GPO deployment.
2. Enbale the auditing changes on the target NTFS file of folder level.
a. go to the file or folder properties-> security->Advanced->auditing tab
b. Click on Add and Add Everyone
c. Under apply to make sure This Folder, Sub Folders and Files is selected
d. Click to check the check boxes for Change permissions both "successful" and "failed".

Hope this helps,

jfrmilner.

Audit NTFS Permissions PowerShell Script | jfrmilner's Tech Blog

audit_ntfs_permissions.txt · Last modified: 2018/04/09 09:56 (external edit)